The PDPL, Ensuring Data Privacy and Protection

October 29, 2021 | 5 minutes read
The PDPL, Ensuring Data Privacy and Protection

Montenegro’s Personal Data Protection Law 79/08 and 70/09, also known as the PDPL for short, is a data protection law that was passed in 2012. As Montenegro is one of a handful of nations in Europe that is not a part of the European Union and as such, does not fall under the jurisdiction of the General Data Protection Regulation or GDPR, the country needed a data protection law that would be comparative to other European data privacy laws. To this extent, the PDPL was largely modeled after the EU’s Data Protection Directive or Directive 95/46/EC, subsequently placing the law in general compliance with the EU’s current GDPR Law. As such, the PDPL puts forth the legal framework that data controllers, processors, and organizations must adhere to at all times when engaging in data processing activities.

How are data controllers and processors defined under the PDPL?

Under the PDPL, the term data controller is defined to mean  “An individual or legal entity who processes personal data on the territory of Montenegro or on the territory outside of Montenegro where, under international law, Montenegrin regulations apply; or is incorporated outside Montenegro or does not have a residence in Montenegro but uses equipment for data processing situated in Montenegro, except if the equipment is used only for transfer of personal data over the territory of Montenegro”. As the PDPL contains no provisions that explicitly state the territorial scope of the law, the term data controller accounts for individuals and legal entities both inside and outside of Montenegro.

Alternatively, the term data processor is defined to mean “A public authority, public administration body, self-government, or local administration authority, commercial enterprise, or other legal person, entrepreneur or a natural person, who performs tasks concerning the processing of personal data on behalf of the controller”. In terms of the types of personal data that are covered by the PDPL, the law “applies to automated or non-automated processing of personal data contained or intended to be contained in a filing system”. Moreover, the processing of personal data includes all functions and operations undertaken in regard to personal data, including collection, processing, transmitting, classifying, and deleting.

What are the obligations of data controllers and processors under the PDPL?

Under the PDPL, data controllers and processors who process the personal data of Montenegrin citizens are required to fulfill the following obligations and responsibilities:

What are the rights of Montenegrin citizens under the PDPL?

The PDPL provides Montenegrin citizens with the following rights as it relates to data protection and privacy:

In terms of punishment as it pertains to violations of the law, the PDPL is enforced by the Agency for Personal Data Protection and Free Access to Information, or the AZLP for short. To this end, the AZLP has the power to impose the following sanctions for non-compliance under the law:

As Montenegro is one of the various countries within Europe that is not a part of the EU and does not fall under the jurisdiction of the General Data Protection Regulation as a result, the PDPL serves to protect the privacy and personal data of Montenegrin citizens. However, despite the fact that Montenegro is not a part of the European Union, the EU’s data legislation policies throughout the years have undoubtedly played a large role in influencing many of the provisions of the PDPL. In this way, Montenegrin citizens are afforded a level of data privacy that is similar to their European counterparts.

Related Reads

Anyone doing business in or with the EU's 27 member states must take redaction seriously or possibly face million euro fines.
June 20, 2024 | 5 minutes read
The EU’s GDPR And How To Best Comply In 2024

What is the GDPR? How do you comply? With CaseGuard Studio, the all-in-one redaction solution, sensitive data redaction is made simple with powerful AI tools.

Learn More »
Two police officers on motor cycles watching people use a cross walk in the UK.
September 06, 2023 | 4 minutes read
Blurring Faces from Videos and The Truth About Body-Worn Camera Privacy

Body-worn cameras are an essential piece of equipment for law enforcement officers and the redaction of faces from BWC footage is necessary to protect the privacy of individuals.

Learn More »
Doctor in green scrubs looking at multiple computer screens with sensitive medical information on them
August 30, 2023 | 4 minutes read
Sensitive Information, Protected: Patient Privacy, HIPAA, And You

HIPAA compliance ensures patient privacy. Often making the consequences of non-compliance severe, so how do you avoid that?

Learn More »
healthcare worker
July 12, 2023 | 5 minutes read
Protecting Privacy in the Healthcare Field: PII, PHI & PCI

Healthcare professionals handle a wide range of sensitive data that is crucial for delivering quality care. But protecting that data is getting harder.

Learn More »
surveillance-cameras
June 26, 2023 | 6 minutes read
FISA Section 702, Is The US Government Monitoring You?

Is there a give-and-take relationship that must be accepted when it comes to keeping the country safe? Should U.S. persons be okay with the incidental collection of their conversations in the name of national security under FISA Section 702? Even when it violates their constitutional rights? Well, that’s up to Congress to decide.

Learn More »
Dark room with an investigator standing behind suspect
May 31, 2023 | 5 minutes read
Using Redaction for Privacy Maintenance as An Investigator

These oaths emphasize upholding the law, serving the public, and protecting the rights of individuals. One of these many rights is privacy. An investigator must adhere to the legal and ethical guidelines within the jurisdiction and perform their investigation within those specifically set boundaries.

Learn More »